This invention relates to a method and system for checking digital signatures and a smart card for using this method.
In particular, but not exclusively, it is applicable to authentication of information and verification of digital signatures in order to authorize specific processing. This processing consists particularly of recording rights in a card with an electronic microcircuit, for example in electronic transport ticket, or electronic purse or reduction voucher distribution applications.
Cards with electronic microcircuits, called smart cards, are usually used as a mobile computer support for a wide variety of applications mostly requiring a high degree of security, and particularly bank operations, secure payments, access to buildings or secure areas and telecommunications.
For example, when it is required to update sensitive data in a smart card, such as a refill amount for an electronic purse application, the card must be capable of checking the source of an update order that it receives. This is done by associating the update order with a digital signature, in which the identity of the signatory is guaranteed by a certificate that is also associated with the update order.
A digital signature added to a message is usually obtained by applying a hashing function to the message to obtain a digest, and encrypting this digest using a private key known only to the signatory. Therefore, all that is necessary to check a signature is to have the public key corresponding to the private key used, and the hashing function, to apply the hashing function to the message, to decrypt the signature using the public key and to compare the result obtained using the hashing function with the result obtained by decryption. If these two results are identical, the signature is correct.
A public key certificate, for example conforming with the X509 or PKCS#6 standard, is composed of a combination of a public key used by a person, identification information for this person and a definition of a validity period, the combination of this information being made impossible to falsify by a digital signature added by a certification authority, this signature using a private key of the certification authority. All that is necessary to check this certificate is to have the public key of the certification authority corresponding to the private key used, and to use this public key to check that the digital signature really is issued by the certification authority. It is thus possible to make sure that a public key corresponds to the identity of a determined person. However, this principle does not guarantee that the person who is using the private key corresponding to the public key is actually the person identified in the certificate. Certification authorities usually do not guarantee this correspondence.
To guarantee such correspondence, it has been proposed to set up a chain or pyramid organization based on the “certificates chains” concept in which the digital signature of each person is certified by the signature of an entity that was previously certified by another entity and so on, until reaching a reference authority located at the top of the pyramid. In such an organization, a signature is based on all certificates of all public keys in order to work upwards along the certification chain as far as the reference authority. Therefore to check a signature, all certificates have to be checked until reaching a certificate issued by a known entity in the certification chain. It is also necessary that the public key of this known entity should be stored reliably and so that it cannot be falsified.
The techniques that have to be used to manage such an organization can easily be installed in a PC type personal computer, particularly using Internet browsing software that integrates all or some of these functions with the SSL (Secure Sockets Layer) and HTTPS (Hypertext Transfer Protocol integrating SSL) protocols. However, these techniques are much more difficult to use in a smart card that has a significantly more limited calculation power and storage capacity. Certificates chains that have to be processed are very long compared with the usual characteristics of smart cards. Thus, a certificate conforming with the X509 standard may be several kbits long, and if the certificates chain is long, the card must be able to process and memories more information than is possible based on its capacities.
In this respect, it is important to emphasize that the terminal to which the card is connected cannot execute such a processing, and the terminal memory cannot be used for this processing, without affecting security since it would then be very easy to deceive the card, particularly by replacing one public key by another.
It has already been proposed to introduce all public keys of certification authorities in the certification chain, into the memory of the smart card. However this solution requires large memory capacities considering that the public key frequently occupies more than one kbit. It is also necessary that these public keys should be stored in a secure memory area to prevent risks of fraud consisting of introducing an unauthorized key into this list of public keys. At the moment, microcircuits installed in the smart cards do not have sufficient secure memory capacity.